https://community.cisco.com/t5/network-security/asa-cluster-issue/m-p/3037897#M145884 <P>I have two ASA5545 and two catalyst4507 switch. Switches are in vss mode. I have to cluster both &nbsp;the ASA through switch.</P> <P>Configuration is as below:-</P> <P></P> <P>ASA-2# sh run cluster<BR />cluster group ASA-CLUSTER<BR /> local-unit ASA-2<BR /> cluster-interface Port-channel10 ip 192.168.21.3 255.255.255.248<BR /> priority 2<BR /> health-check holdtime 3<BR /> health-check data-interface auto-rejoin 3 5 2<BR /> health-check cluster-interface auto-rejoin unlimited 5 1<BR /> clacp system-mac auto system-priority 1</P> <P>ASA-1# sh run cluster<BR />cluster group ASA-CLUSTER<BR /> local-unit ASA-1<BR /> cluster-interface Port-channel10 ip 192.168.21.2 255.255.255.248<BR /> priority 1<BR /> console-replicate<BR /> health-check holdtime 3<BR /> health-check data-interface auto-rejoin 3 5 2<BR /> health-check cluster-interface auto-rejoin unlimited 5 1<BR /> clacp system-mac auto system-priority 1</P> <P>-------------------------------------------<BR />ASA-2# sh run inter gi0/7<BR />!<BR />interface GigabitEthernet0/7<BR /> channel-group 10 mode on<BR />ASA-2#</P> <P>-----------------------------------------<BR />ASA-1# sh run inter gi0/7<BR />!<BR />interface GigabitEthernet0/7<BR /> channel-group 10 mode on<BR />ASA-1#</P> <P>----------------------------------------------<BR />on switch</P> <P>SW- inter gi1/1/4<BR /> - swi mode acc<BR /> - swi acc vlan 23<BR /> - channel-group 10 mode on</P> <P>--inter gi2/1/4<BR /> - swi mode acc<BR /> - swi acc vlan 23<BR /> - channel-group 10 mode on</P> <P></P> <P>now only one ASA is reachable from switch. means when ASA-1 (IP .2) is reachable from switch but not ASA-2 (IP- .3).</P> <P>When I removing cable from ASA-1 then ASA-2 is reachable. So how they will sync.</P> <P>when enabling cluster both ASA &nbsp;becomes MASTER.&nbsp;</P> <P>Any solution ?</P> <P></P> Tue, 12 Mar 2019 09:02:37 GMT veevekraj 2019-03-12T09:02:37Z https://community.cisco.com/t5/network-security/asa-cluster-issue/m-p/3037897#M145884 <P>I have two ASA5545 and two catalyst4507 switch. Switches are in vss mode. I have to cluster both &nbsp;the ASA through switch.</P> <P>Configuration is as below:-</P> <P></P> <P>ASA-2# sh run cluster<BR />cluster group ASA-CLUSTER<BR /> local-unit ASA-2<BR /> cluster-interface Port-channel10 ip 192.168.21.3 255.255.255.248<BR /> priority 2<BR /> health-check holdtime 3<BR /> health-check data-interface auto-rejoin 3 5 2<BR /> health-check cluster-interface auto-rejoin unlimited 5 1<BR /> clacp system-mac auto system-priority 1</P> <P>ASA-1# sh run cluster<BR />cluster group ASA-CLUSTER<BR /> local-unit ASA-1<BR /> cluster-interface Port-channel10 ip 192.168.21.2 255.255.255.248<BR /> priority 1<BR /> console-replicate<BR /> health-check holdtime 3<BR /> health-check data-interface auto-rejoin 3 5 2<BR /> health-check cluster-interface auto-rejoin unlimited 5 1<BR /> clacp system-mac auto system-priority 1</P> <P>-------------------------------------------<BR />ASA-2# sh run inter gi0/7<BR />!<BR />interface GigabitEthernet0/7<BR /> channel-group 10 mode on<BR />ASA-2#</P> <P>-----------------------------------------<BR />ASA-1# sh run inter gi0/7<BR />!<BR />interface GigabitEthernet0/7<BR /> channel-group 10 mode on<BR />ASA-1#</P> <P>----------------------------------------------<BR />on switch</P> <P>SW- inter gi1/1/4<BR /> - swi mode acc<BR /> - swi acc vlan 23<BR /> - channel-group 10 mode on</P> <P>--inter gi2/1/4<BR /> - swi mode acc<BR /> - swi acc vlan 23<BR /> - channel-group 10 mode on</P> <P></P> <P>now only one ASA is reachable from switch. means when ASA-1 (IP .2) is reachable from switch but not ASA-2 (IP- .3).</P> <P>When I removing cable from ASA-1 then ASA-2 is reachable. So how they will sync.</P> <P>when enabling cluster both ASA &nbsp;becomes MASTER.&nbsp;</P> <P>Any solution ?</P> <P></P> Tue, 12 Mar 2019 09:02:37 GMT https://community.cisco.com/t5/network-security/asa-cluster-issue/m-p/3037897#M145884 veevekraj 2019-03-12T09:02:37Z https://community.cisco.com/t5/network-security/asa-cluster-issue/m-p/3037898#M145885 <P><SPAN class="fullname" itemprop="author"><A href="https://supportforums.cisco.com/users/veevekraj1" title="View user profile." class="username" lang="" about="/users/veevekraj1" typeof="sioc:UserAccount" property="foaf:name" datatype="">Hey veevekraj1, </A></SPAN></P> <P><SPAN class="fullname" itemprop="author">Did you get a solution or work-around for this issue? I am facing a similar dilemma now. Kindly share how you handled this.</SPAN></P> <P><SPAN class="fullname" itemprop="author">Thanks.</SPAN></P> Thu, 25 May 2017 16:44:28 GMT https://community.cisco.com/t5/network-security/asa-cluster-issue/m-p/3037898#M145885 Kunle 2017-05-25T16:44:28Z https://community.cisco.com/t5/network-security/asa-cluster-issue/m-p/3037899#M145887 <BLOCKQUOTE> <P>In ASA cluster we need minimum 2 link form each ASA for a port channel. Otherwise it will not be a good implementation. If u will use only one link per ASA for CCL link then it will hamper data interface. Like.....when cluster port channel will go down cluster will break and data interface of the context will also go down.</P> <P></P> <P>Apart from cluster issue my issue was related to etherchannel. Need to check etherchannel configuration and issue will be resolved.</P> </BLOCKQUOTE> Fri, 26 May 2017 06:57:26 GMT https://community.cisco.com/t5/network-security/asa-cluster-issue/m-p/3037899#M145887 veevekraj 2017-05-26T06:57:26Z https://community.cisco.com/t5/network-security/asa-cluster-issue/m-p/3037900#M145888 <P></P> <P>Thanks <SPAN class="fullname"><SPAN rel="sioc:has_creator"><A href="https://supportforums.cisco.com/users/veevekraj1" title="View user profile." class="username" lang="" about="/users/veevekraj1" typeof="sioc:UserAccount" property="foaf:name" datatype="">veevekraj1</A></SPAN></SPAN></P> Mon, 29 May 2017 19:52:57 GMT https://community.cisco.com/t5/network-security/asa-cluster-issue/m-p/3037900#M145888 Kunle 2017-05-29T19:52:57Z